oceanlotus-apt32-network

Hunt Hypothesis

The hypothesis is that the detected network activity aligns with the known tactics of APT32/OceanLotus, indicating potential command and control communication or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity early in the attack lifecycle.

KQL Query

//Network activities 
DeviceNetworkEvents 
| where Timestamp > ago(30d) 
| where RemoteUrl in ( 
//'Malicious URL Indicators for OceanLotus Activities 2019', 
'open.betaoffice.net', 
'outlook.updateoffices.net', 
'load.newappssystems.com', 
'syn.servebbs.com', 
//'C2 Indicators for OceanLotus Activities 2019', 
'cortanazone.com', 
'cortanasyn.com', 
'ristineho.com', 
'syn.servebbs.com')

Analytic Rule Definition

id: 8e2c33f5-0c00-4246-b10b-9fb43da56365
name: oceanlotus-apt32-network
description: |
  This query was originally published in a threat analytics report about the group known to other security researchers as APT32 or OceanLotus
  This tracked activity group uses a wide array of malicious documents to conduct attacks. Some of their favored techniques include sideloading dynamic link libraries,  and disguising payloads as image files.
  The following query detects network activity that may indicate an attack by this group.
  See Detect malicious documents associated with group known as "OceanLotus" for another query related to this group's activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics:
- Discovery
- Lateral movement
- Command and control
query: |
  //Network activities 
  DeviceNetworkEvents 
  | where Timestamp > ago(30d) 
  | where RemoteUrl in ( 
  //'Malicious URL Indicators for OceanLotus Activities 2019', 
  'open.betaoffice.net', 
  'outlook.updateoffices.net', 
  'load.newappssystems.com', 
  'syn.servebbs.com', 
  //'C2 Indicators for OceanLotus Activities 2019', 
  'cortanazone.com', 
  'cortanasyn.com', 
  'ristineho.com', 
  'syn.servebbs.com')

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Discovery
Tactic: Lateral movement
Tactic: Command and control

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/oceanlotus-apt32-network.yaml)

False Positive Guidance

Scenario: Legitimate scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude traffic where the source IP is associated with the Veeam backup server and the destination is a known internal backup storage system.
Scenario: Admin task using PowerShell to update system patches
Filter/Exclusion: Exclude PowerShell scripts that are signed by a trusted certificate and executed from the C:\Windows\System32\WindowsPowerShell\v1.0\ directory.
Scenario: Network discovery using Nmap with internal IP ranges
Filter/Exclusion: Exclude Nmap scans originating from the internal network and targeting internal IP ranges (e.g., 192.168.0.0/16 or 10.0.0.0/8).
Scenario: Legitimate remote desktop connection using Microsoft Remote Desktop
Filter/Exclusion: Exclude RDP sessions where the source IP is a known internal IP or part of the organization’s remote access network.
Scenario: Automated log collection using Splunk Forwarder
Filter/Exclusion: Exclude traffic from the Splunk Forwarder to the Splunk Indexer, identified by the source IP of the forwarder and the destination IP of the indexer.